Approval gates
Approval gates bind a reviewed Automax plan to a JSON approval file. Operators can create an approval after reviewing the same job, inventory, vars and selector inputs that will later be executed.
Approval files are intentionally secret-free. Create them without --secrets; runs can still pass --secrets later because approval verification compares the secret-free review surface.
Create an approval
automax approval create \
--job job.yaml \
--inventory inventory.yaml \
--vars vars.yaml \
--approved-by change-1234 \
--reason "Approved maintenance window" \
--expires-at 2026-06-30T23:00:00Z \
--output approvals/change-1234.json
The approval file records:
- approver identity;
- approval timestamp;
- optional expiry timestamp;
- optional reason or ticket reference;
- SHA-256 digest of the secret-free operator review;
- short review summary.
Verify an approval
automax approval verify \
--job job.yaml \
--inventory inventory.yaml \
--vars vars.yaml \
--approval approvals/change-1234.json
Verification fails when the selected plan, inventory, vars, filters or tags no longer match the reviewed content. It also fails after expires_at.
Run with an approval gate
automax run \
--job job.yaml \
--inventory inventory.yaml \
--vars vars.yaml \
--secrets secrets.yaml \
--approval approvals/change-1234.json
The run verifies the approval file before execution. Dry runs do not require approval verification, so operators can still preview changes before asking for sign-off.
Operator workflow
A typical change workflow is:
automax review --job job.yaml --inventory inventory.yaml --vars vars.yaml --output review.md
automax approval create --job job.yaml --inventory inventory.yaml --vars vars.yaml --approved-by change-1234 --output approval.json
automax approval verify --job job.yaml --inventory inventory.yaml --vars vars.yaml --approval approval.json
automax run --job job.yaml --inventory inventory.yaml --vars vars.yaml --secrets secrets.yaml --approval approval.json
Keep approval files with the release or change record when the environment requires auditable operator sign-off.